problem with setting nat
Janne Snabb
snabb at epipe.com
Tue Aug 23 10:27:38 UTC 2011
On Tue, 23 Aug 2011, Bartek W. aka Mastier wrote:
> I completely don't see the point of using arp-proxy at all.
> Can you enlight me?
I do not know about the particular needs of the OP. I have not been
paying attention. Sorry if I misunderstood something.
But in real world:
- The upstream router is often managed by the ISP and there might
be no way to put a static route towards the firewall in that router.
- The available external IP block may be too small to allow subnetting
it to "outside of the firewall" and "inside of the firewall" networks.
This is becoming more and more of an issue as the IPv4 address space
has already run out but people have not migrated to IPv6.
- The IP addresses might have been previously assigned without thinking
that there will be a firewall in future. Then later it is decided that a
firewall is needed but it is not possible to renumber the IP addresses
of every host (due to lack of budget, skills, documentation, etc).
All of the above are very common situations in small to medium
businesses. Proxy ARP on the firewall solves all of them easily.
You just turn it on and everything works.
(Please do not misunderstand me: I am not saying that it is an
elegant solution. However in many cases it is the only practical
solution.)
--
Janne Snabb / EPIPE Communications
snabb at epipe.com - http://epipe.com/
More information about the freebsd-pf
mailing list